In this RSA Conference 2011 interview, Michael Mimoso, Editorial Director of the Security Media Group at TechTarget interviews Bruce Schneier, Chief Security Technology Officer of BT Group. Schneier breaks down Stuxnet malware analysis and gives his opinion on Stuxnet in the media.
See more Bruce Schneier videos:
Read the full transcript from this video below: Expert Bruce Schneier's Stuxnet malware analysis
Mike Mimoso: Hi, I'm Mike Mimoso, and I've got Bruce Schneier with me today. Hi, Bruce, how are you? Thanks for joining us.
Bruce Schneier: Yeah, thanks for having me.
Bruce Schneier: Of course, it's not totally new. It's funny. Everybody in this industry looks at it and says, yeah we knew about this, yeah, we knew this would happen. What's new is that it hit the mainstream media. So, awareness is new. The New York Times, that's new. It's not anything Stuxnet did; it's everyone's reaction to Stuxnet. It's been an interesting, slow reveal. We still don't have any definitive evidence. It's all anecdotal, it's all circumstantial. It's pretty good at this point.
Mike Mimoso: Yeah.
Bruce Schneier: There's been some good investigative journalism I've read that really points to Israel and the United States as the perpetrators of this. But, like all Internet worms, it doesn't come with a return address. We know it's very well written. We know it's very specially targeted. John Markoff, who writes for the Times, speculated that it's not that it was trying to break in, that the reason we know about it is that it accidentally broke out, of the Bushehr nuclear power plant. Which is an interesting way of thinking about it. I think it's fascinating to watch, but we don't really have answers, we just have better formulations of questions.
More resources on Stuxnet malware
Learn why researchers say Stuxnet-Flame link has been confirmed
Get answers to your Stuxnet FAQ
Learn more about Stuxnet Trojan attacks
Mike Mimoso: Right. You wouldn't think the perpetrators would want it to break out. They want that persistence, that quiet kind of presence.
Bruce Schneier: Well, I'm not sure.
Mike Mimoso: Yeah.
Bruce Schneier: The one way to think about Stuxnet is in 2007, Israel bombed a Syrian nuclear power plant. They used actual planes, and they made it very clear that they did it.
Mike Mimoso: Mm-hmm.
Bruce Schneier: There was value politically, in saying, we as Israel can do this to you, as Syria. Similar thing happens to Iran using a USB stick, and there is no return address. I am not sure what the geo-politics is of doing it in secret versus in public. Perhaps, Israel told Iran quietly, hey, we did this and here's proof. Maybe they didn't. I don't think we know, because we really haven't had much experience in doing these kinds of large scale physical attacks in secret. We've always had secret political assassinations. That's been true for thousands of years. But that's not a technical difference, that's a difference in policy.
Mike Mimoso: Mm-hmm. So, it's uncharted waters politically?
Bruce Schneier: Well, I don't know how uncharted it is. I mean, it's certainly uncharted waters for me. I mean, this is not my area of expertise. It's political science. Certainly, people have studied anonymous assassinations versus assassinations that we know who did it and the difference politically. But I would expect that Israel might want to say to Iran that they did it. There has been an alternate theory that China was responsible.
Mike Mimoso: Yeah.
Bruce Schneier: There was some evidence; I don't think it's that good, that China did it. Now, does China want Iran to know, or does China want to pretend that Israel did it? Or does Israel want to pretend that China did it? Once you start thinking about all of these sort of false flags, and ways to put blame on somebody else, it's a lot more interesting than flying war planes where the enemy can look up and see your flag on the tail and know exactly where they came from.
Mike Mimoso: Is it a game changer in terms of how we think about cyber war?
Bruce Schneier: I don't think it's a game changer. I think anybody who's been thinking about the game, knows it isn't. Again, I think for everybody out in the world who never thought about this before. To them, probability goes from zero, to one from can't happen, to it happened. We in computer security knew this was possible, knew this was feasible, knew it was only a matter of time. So, if it actually happens, it's no big deal to us. But, out in the real policy world, it's, "Wow! I never thought of that before." Suddenly, there's a USB stick that's taken out a centrifuge.
Mike Mimoso: How do you think Stuxnet was unique in terms of the infrastructure behind it, the funding and the planning and the process behind it? Is it something that we haven't seen before?
Bruce Schneier: What we've learned about Stuxnet is it was highly targeted. Some of the investigative journalism I have read recently says, the attackers, Israel, built a model of the plant they were attacking in their own facility. The test of it worked. The normal stuff is the USB sticks. We've all read about how bad USB sticks, the different faking of certificates, zero day vulnerabilities. These are all terms we know, nothing exciting here, very well written. The new stuff, building a hardware facility, to test what you're doing? That's new.
There's probably stuff we don't know, ways that worm was deployed. That might have involved human assets. We know for tests, we scatter USB sticks in a parking lot. They get the organization, we break in that way. Probably didn't work here. They probably had to use something a little bit more advanced.
Mike Mimoso: Great. Thanks, Bruce. Thanks for joining us today.
Bruce Schneier: Thank you.
Mike Mimoso: And for more information, go to SearchSecurity.com.